Enable logout redirection for reverse proxy setups #36085
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/go
| m.Post("/recover_account", auth.ResetPasswdPost) | ||
| m.Get("/forgot_password", auth.ForgotPasswd) | ||
| m.Post("/forgot_password", auth.ForgotPasswdPost) | ||
| m.Get("/logout", auth.SignOut) |
There was a problem hiding this comment.
What's the point of this route? Convenience for testing?
There was a problem hiding this comment.
The button gets also changed to do a GET request by setting href. As I understand it, a GET request is needed to also cleanly redirect the user to the external URL.
There was a problem hiding this comment.
We could think about simplifying the "Sign out" button to just do a GET /user/logout always, to not have to check whether we have this new config setting.
There was a problem hiding this comment.
Hmm I think we ought to keep the POST for compatibilty reasons. Some users may have special integrations with the POST route in their reverse proxy.
There was a problem hiding this comment.
As I understand it, a GET request is needed to also cleanly redirect the user to the external URL.
If I understand HTTP correctly, one can also redirect in a POST response, can you try that? Logging out is a action that likely changes state on the server so a GET is semantically incorrect.
There was a problem hiding this comment.
I think we can create a small inline <form> to trigger the POST and change the link to a button with type=submit, so it works without JS.
Not sure how others feel but I think this case does not warrant the additional route.
There was a problem hiding this comment.
Thought that does present a challenge in the styling because we don't have CSS to style a button like a link. Could you show a screenshot of how this link currently looks?
There was a problem hiding this comment.
Screencast.From.2025-12-04.22-27-40.mp4
There was a problem hiding this comment.
after checking the code, maybe I know why you think post atcion can't be used for redirect action, first, we should comfirm curent logout steps: first do POST /logout by js, backed will response a json struct wich contain redirect=xxxx, then js will call a speciall post action to /-/fetch-redirect with a form contain redirect link, then the backen will do a redirect.
ref:
but sadly, in current design, /-/fetch-redirect will will block link to ather service, maybe we can remove this block, or render a warning page with a link for it. /cc @wxiaoguang
There was a problem hiding this comment.
but sadly, in current design,
/-/fetch-redirectwill will block link to ather service, maybe we can remove this block, or render a warning page with a link for it. /cc @wxiaoguang
No, the design is right. Otherwise "open redirect" security vulnerabilities.
You can allow more URL patterns which are known to be safe, but not remove it or bypass it.
When authentication is handled externally by a reverse proxy or SSO provider, users can be redirected to an external logout URL or relative path defined on the reverse proxy to fully logout.
eliroca
force-pushed
the
logout_redirect_main
branch
from
ceb6e88 to
23fd5f9
Compare
5 participants
When authentication is handled externally by a reverse proxy or SSO provider, users can be redirected to an external logout URL or relative path defined on the reverse proxy.